Contents

Introduction

Voting pools are an arrangement of OT transaction servers to securely store and account for customer cryptocurrency deposits, and to redeem valid withdrawal requests even in the event the custodial entity has completely disappeared. They are designed to ensure that no single person or organization can ever perform unilateral actions on deposited funds in order to reduce the risk of loss or theft, and custodial liability.

By forming voting pools, users of OT can create and transact in financial instruments which are based on Bitcoin (or other blockchain-based cryptocurrencies), and it's possible to create exchanges which can not lose or steal customer cryptocurrency deposits. Voting pools are a "best of both worlds" merger between trustless blockchain technology and high speed server-mediated transactions.

Role of Open-Transactions

Open-Transactions (OT) is a financial cryptography library that implements triple entry accounting with destructible receipts. OT allows creditors to issue liabilities in the form of digitally signed and notarized receipts whose balances can be traded as currency and are available for manipulation via smart contracts and other financial instruments. Transactions are constructed by users and notarized by third party witnesses. OT maintains a real-time, cryptographically secured state of all liability balances for a given issuance type. Account balances in OT are protected from tampering with strong cryptography, which eliminates the co-mingling of funds between unrelated accounts. As an accounting system, OT does not normally have the ability to manipulate actual underlying assets, such as physical gold reserves.

Unlike other technologies for creating financial instruments in blockchain currencies, Open-Transactions does not use or require special tokens.

Role of Bitcoin

Bitcoin is a digital asset ledger that includes its own currency and payment system. Bitcoins are not backed by any issuer, and therefore carry no counterparty risk. The validity of the global Bitcoin ledger (blockchain) is enforced by a global P2P network which requires, on average, ten minutes to update.

Applications of voting pools

With regards to OT, Bitcoin (and other cryptocurrencies) form a unique case. Since cryptocurrencies can be manipulated digitally in the way that other assets can not, OT servers can provide additional functions beyond merely ownership accounting. Importantly, in the case of cryptocurrencies, OT can provide auditing and safe storage of reserves on the blockchain itself. Since OT servers can process transactions more rapidly and inexpensively than a blockchain, it is desirable in many cases to allow an OT server to handle financial transactions off-chain, rather than performing them directly on the blockchain itself.

Many services in the cryptocurrency space already require this functionality. Currency exchanges and other trading platforms usually desire to perform order matching more rapidly than what is possible on the blockchain itself. These services accept custody of user funds, perform transactions in a separate off-chain system, and use a database to track customer balances. Typically these services are not cryptographically secured, or independently auditable. Customers also give full control of their deposited funds to the custodial service, which exposes them to the risk of theft or loss of their coins.

Unlike legacy currencies, cryptocurrencies can be irrevocably lost or stolen, and it’s typically not possible to distinguish between insider or external theft. Historically, this ambiguity appears to have been routinely exploited.

Voting pools are an open standard intended to be a universal replacement for bespoke systems that handle customer cryptocurrency deposits.

Overview

Voting pools bridge two worlds - OT and Bitcoin (cryptocurrency). The OT Voting Pool system consists of transaction servers, audit servers, and Bitcoin wallets held by wallet providers. OT tracks the BTC-denominated balances of every user of a service (down to 16 decimal places currently), as well any "service" balances that may be held by the transaction servers. The Notary is the portion of a voting pool which is closest to the users themselves. Users can interact with notaries through software user-interface clients that generate API function calls, or directly through client-side scripts containing OT API function calls. The Notary acts as a backend processor for a deposit-accepting business (such as a currency exchange or issuer), and handles all issues related to cryptocurrency deposits, withdrawals, and balance updates.

The transaction server and the bitcoin wallet communicate via an Auditor. The Auditor independently verifies the OT operations of all transaction servers in the voting pool, as well as the bitcoins held by the pool on the blockchain itself. It uses this audit data to know when it should direct the wallet to create a withdrawal transaction, and it is also the component responsible for information sharing and achieving consensus between all members of the pool. It is the Auditors and the wallets who hold the keys to creating transactions at the request of the user, and the Auditors must all act by consensus and with the cooperation of the wallet to create multi-signature blockchain transactions.

In order to manage the actual bitcoins held by the pool, each transaction server has a corresponding blockchain wallet. The wallet software manages a hierarchical and deterministic list of addresses and the multi-signature transaction generation. The blockchain wallet supports standard cryptocurrency balances and separate tracking of colored coins. Most funds are held in a cold-wallet system where human interaction by multiple independent operators is required to rotate to a new sequence of hot-wallet addresses, and the blockchain wallet supports a formal "cold" state for addresses which require a signed consensus message to become "hot". Wallet providers maintain platforms robust enough to handle peak deposit and withdrawal volumes experienced by a popular service.

Security

Goals

In order to achieve the desired security and robustness goals for voting pools, the following criteria are enforced:

Customers should be strongly discouraged from reusing deposit addresses. The voting pool itself must never intentionally reuse a bitcoin address.

All Bitcoin addresses used by the pool must be deterministic for auditing purposes. Each member of the pool should be able to calculate all members’ series of deposit and change addresses.

Withdrawal transaction input selection must be deterministic in order to minimise the cost of coordinating transaction signing.

It must be possible to keep a majority of the private keys offline for security reasons, and bring them online as needed to process withdrawals.

It must be possible to alter the voting pool by adding, removing, or replacing members in a coordinated and secure fashion.

Model

The goal of the voting pool security model is that users of deposit-accepting services should never experience a loss of deposited funds.

We can group the various ways in which this goal might not be met into two general categories:

Type 1 Event (Theft/Loss)

A user permanently loses their funds because a third party has gained control of them without the user’s consent, or because the private keys needed to spend them have been irrevocably lost.

Type 2 Event (Denial of Service)

A user temporarily loses some or all of their ability to use their funds, but no third party has gained control over them.

Type 0 Events will be used to describe all other abnormal conditions from which the pool must recover which do not directly involve a loss of customer deposits.

Voting Pool Security Theorem

If the probability of m+1 (Type 1 Event) or n-m+1 (Type 2 Event) services simultaneously and identically behaving in a malicious or incompetent manner is lower than the probability of any individual server behaving in a malicious or incompetent manner, user deposits on that service are at less risk of loss if the service is a member of an m-of-n voting pool than they would be at risk if the service is not a member of a voting pool.

Voting pools can guarantee the integrity of user deposits if, in any given situation, at least m pool members are well-behaving for Type 1 events and at least n-m pool members are well-behaving for Type 2 events.